Day Pitney’s Healthcare Law Blog provides regular updates on issues affecting all aspects of the healthcare industry. In this era of ever-increasing regulation, we monitor healthcare news and developments from all federal and state agencies, as well as significant court decisions and public policy initiatives. We cut through the jargon and give our clients and other readers what they need to know in a concise, no-nonsense style to save them time while helping them stay informed.

Eric Fader was quoted in an April 25 article, “Health-Care Provider Pays $31K for Lack of Privacy Contract with Vendor,” in Bloomberg BNA’s Health Care Daily Report and other publications. The article reports that the Illinois-based Center for Children’s Digestive Health (CCDH) may have violated HIPAA when it failed to sign a business associate agreement with a vendor, FileFax, Inc., before transferring nearly 11,000 paper medical records to FileFax for storage.

Under a recent resolution agreement, CCDH agreed to pay the Department of Health and Human Services’ Office for Civil Rights (OCR) $31,000 and enter into a two-year corrective action plan. Eric told Bloomberg BNA that the $31,000 settlement appears small considering the severity of FileFax’s underlying offense, disposing of unneeded patient records in an unlocked outdoor dumpster rather than shredding them.

“This is a reminder from the OCR that a covered entity bears the ultimate responsibility when its business associate fails to comply with its HIPAA obligations,” Eric said. Signing a business associate agreement, ideally after both parties have actually read it, will help to educate any entity that still hasn’t figured out its responsibilities under HIPAA, he added.